Spectre: A Dependable Introspec3on Framework via System ...
Transcript of Spectre: A Dependable Introspec3on Framework via System ...
Spectre:ADependableIntrospec3onFrameworkviaSystem
ManagementModeFengweiZhang,KevinLeach,KunSun,andAngelosStavrou.
InDSN'13.
PresentedbyFengweiZhang
WayneStateUniversity CSC6991TopicsinComputerSecurity 1
Agenda
• Introduc3on• Background• SystemFramework• ExperimentalResults• Conclusion
WayneStateUniversity CSC6991TopicsinComputerSecurity 2
Agenda
• Introduc3on• Background• SystemFramework• ExperimentalResults• Conclusion
WayneStateUniversity CSC6991TopicsinComputerSecurity 3
Introduc3on
• Malwaredetec3onandanalysisremainanopenresearchproblem
• ︎Tradi3onally,malwaredetec3onisprovidedbyinstallingan3-malwaretools(e.g.,an3-virus)withintheOS
• ︎However,thesedetec3ontoolsarevulnerabletomalwarerunningatthesamelevel(e.g.,rootkits)
• ︎’Out-of-box’introspec3onmechanismproposedformalwaredetec3onandanalysis(e.g.,Virtualmachineintrospec3on)
WayneStateUniversity CSC6991TopicsinComputerSecurity 4
Introduc3on• VirtualMachineIntropsec3on(VMI)systemsrunmalwarewithina
VManduseanalysistooltointrospectthemalwarefromoutside• ︎VMIsystemshavebeenwidelyadoptedformalwaredetec3onand
analysis.Theyisolatethemalwaredetec3onso]warefromavulnerableguest[4,5,6]
• Limita3onsofVMIsystems:– LargeTrustedCompu3ngBase(TCB)(e.g.,Xen4.2has208Klinesof
code)– ArmoredmalwarecandetectthepresenceofaVMandalteritsown
execu3on(e.g.,an3-VMtechniques)– Highperformanceoverhead
• WepresentSpectre,adependableintrospec3onframeworkviasystemmanagementmode
WayneStateUniversity CSC6991TopicsinComputerSecurity 5
Agenda
• Introduc3on• Background• SystemFramework• ExperimentalResults• Conclusion
WayneStateUniversity CSC6991TopicsinComputerSecurity 6
BackgroundSystemManagementMode(SMM)• ACPUmodeonthex86Architecture.• A]erenteringintoSMM,itexecutestheSystemManagement
Interrupt(SMI)handler• SMIhandlerstoresatasealedstoragecalledSystemManagement
RAM(SMRAM)• BIOSlockstheSMRAM,andtheSMRAMisinaccessiblefromany
otherCPUmodes• SMM-basedsystems
– Integritychecking:HyperGuard[7],HyperCheck[8],– HyperSentry[1]– SMMrootkits[3,2]– AgacksagainstSMM[9]
WayneStateUniversity CSC6991TopicsinComputerSecurity 7
Background
BasicInputandOutputSystem(BIOS)andCoreboot• BIOScodeisstoredon-vola3leROM,anditisresponsibleforhardwareini3aliza3onbeforeOSstarts.
• CorebootisanopensourceprojectaimedtoreplacetheBIOSincurrentcomputer
• SpectreusesacustomSMIhandlerinCoreboot
WayneStateUniversity CSC6991TopicsinComputerSecurity 8
Agenda
• Introduc3on• Background• SystemFramework• ExperimentalResults• Conclusion
WayneStateUniversity CSC6991TopicsinComputerSecurity 9
SystemFramework
Target Machine
SPECTRE system regularly introspects native memory on target machine
Monitor
Machine
Enter
SMM
Rebuild
semantic
data
Check kernel code
Check kernel data
Check program data
optional custom module ...
Report alerts
select module
‘heartbeat’
attack occured?
WayneStateUniversity CSC6991TopicsinComputerSecurity 10
SystemFramework
• Step1:PeriodictriggeringofSMM
Target Machine
SPECTRE system regularly introspects native memory on target machine
Monitor
Machine
Enter
SMM
WayneStateUniversity CSC6991TopicsinComputerSecurity 11
SystemFramework
• Step1:PeriodictriggeringofSMM• Step2:Rebuildingseman3cinforma3on
Target Machine
SPECTRE system regularly introspects native memory on target machine
Monitor
Machine
Enter
SMM
Rebuild
semantic
data
WayneStateUniversity CSC6991TopicsinComputerSecurity 12
SystemFramework
• Step1:PeriodictriggeringofSMM• Step2:Rebuildingseman3cinforma3on• Step3:Runningadetec3onmodule
Target Machine
SPECTRE system regularly introspects native memory on target machine
Monitor
Machine
Enter
SMM
Rebuild
semantic
data
Check kernel code
Check kernel data
Check program data
optional custom module ...
select module
WayneStateUniversity CSC6991TopicsinComputerSecurity 13
SystemFramework
• Step1:PeriodictriggeringofSMM• Step2:Rebuildingseman3cinforma3on• Step3:Runningadetec3onmodule• Step4:Communica3onwithmonitorserver
Target Machine
SPECTRE system regularly introspects native memory on target machine
Monitor
Machine
Enter
SMM
Rebuild
semantic
data
Check kernel code
Check kernel data
Check program data
optional custom module ...
Report alerts
select module
‘heartbeat’
attack occured?
WayneStateUniversity CSC6991TopicsinComputerSecurity 14
Step1:PeriodicTriggeringofSMM
• TwowaystotriggeranSMI– So]ware-based:writetoanACPIportspecifiedbychipsets
– Hardware-based:NICcard,keyboard,mouse,andhardware3mer
• Hardware-basedmethodismorereliablethanso]ware-basedmethod,soweuseahardware3meratsouthbridgetoperiodicallyassertanSMI
WayneStateUniversity CSC6991TopicsinComputerSecurity 15
Step2:RebuildingSeman3cInforma3on
• SMMonlyseestherawmemory,anddoesnotknowtheseman3csofthememory(e.g.OSdatastructures)
• Similartotheseman3cgapprobleminVMIsystems• Wemanuallybridgetheseman3cgapinourprototype,automa3cally
bridging(e.g.,Virtuoso[6],VMST[4])
PEB
Executive Process
Heap List
Process Environment Block
Heap H0
Heap H1
Heap H2
Heap H3
Heap H4
...Heap Hn
Heap List
Heap H0 Metadata
Segment S0
Segment S1
Segment S2
...Segment Sn
Heap
Segment
Segment S0
Metadata...FirstEntryLastEntry
Entry E1
Entry E2
Entry E3
Entry ...
Entry En
Data...
Data...
Data...
Static VA of KPCR
0xffdff000 KPCR KdVersionBlock+34h
PsActiveProcessHead
prev
next+78h
Executive Processe.g., “System”
prev
next
Executive Processe.g., “explorer.exe”
prev
next
Executive Processe.g., “lsass.exe”
prev
next
Handle Table 1Handle Table 2Handle Table 3
Other
Executive
Processes
Other heap
tables
...
...
WayneStateUniversity CSC6991TopicsinComputerSecurity 16
Seman3cGapProbleminVMI
• SoK:Introspec3onsonTrustandtheSeman3cGap.BhushanJain,MirzaBasimBaig,DongliZhang,DonaldE.Porter,andRaduSion.InS&P'14.
• SMM-basedSystems,TrustZone-basedSystems,SGX,otherhardwareisolatedexecu3onenvironments(HIEEs)
WayneStateUniversity CSC6991TopicsinComputerSecurity 17
Step3:RunningaDetec3onModule
• Wedemonstratethecapabilityofourframeworkwiththreememory-basedagacks:– Detec3ngheapsprayagacks– Detec3ngheapoverflowagacks– Detec3ngrootkits
• OthercheckingmodulescanbeextendedintoSpectrewithcorrespondingdetec3onalgorithm
WayneStateUniversity CSC6991TopicsinComputerSecurity 18
Step4:Communica3onwithMonitorMachine
• TheSMIhandleralertsthemonitormachineoveraserialorEthernetcable
• WeporttheNICdriverintoSMIhandlerbecausewedowanttotrustanycodeintheOS
• ‘Heartbeat’messagecanbeusedtodetectdenialofserviceagack
• ExitfromSMMandresumeOSstates
WayneStateUniversity CSC6991TopicsinComputerSecurity 19
Agenda
• Introduc3on• Background• SystemFramework• ExperimentalResults• Conclusion
WayneStateUniversity CSC6991TopicsinComputerSecurity 20
PrototypeSpecifica3on
• ︎Hardware– Motherboard:ASUS-M2VMXSE– CPU:2.2GHzAMDSempronLE-1250– RAM:2GBKingstonDDR2– NICs:IntegratedNICandIntele1000GigabitwithPCI
• ︎So]ware– BIOS:Coreboot+SeaBIOS– OSes:Linux(CentOS5.5)andWindowsXPSP3
WayneStateUniversity CSC6991TopicsinComputerSecurity 21
MemoryAgacksDetec3on• Runvariousmemoryagacks,andmeasurethedetec3on3me
intheSMM• Detec3on3me=TimeatSMMexit-TimeatSMMenter
WayneStateUniversity CSC6991TopicsinComputerSecurity 22
SystemOverhead• SpectreisOS-agnos3c,andcandetectmemoryagacksonbothWindowsandLinuxplaqorms.
• Benchmark:PassMarkonWindowsandUnixBenchonLinux
• First,werundifferentdetec3onmodules,andrecordtheirbenchmarkscores– Withoutdetec3onmodule
– Heapspraydetec3onmodule– HeapOverflowdetec3onmodule– Rootkitsdetec3onmodule
• Second,wechangetheSMItriggeringrate,anditrangesfrom1/16sto5s
WayneStateUniversity CSC6991TopicsinComputerSecurity 23
SystemOverhead
• X-coordinate:Samplinginterval︎• Y-coordinate:Percentoverhead
WindowsLinux
5s 2s 1s 12 s
116 s
0%
10%
20%
Sampling interval / s
Perc
ento
verh
ead
Without detection moduleHeap spray moduleHeap overflow moduleRootkit module
5s 2s 1s 12 s
116 s
0%
5%
10%
15%
20%
Sampling interval / s
Perc
ento
verh
ead
Without detection moduleHeap spray detection moduleRootkit detection module
WayneStateUniversity CSC6991TopicsinComputerSecurity 24
ComparisonwithVMISystems• Smallercodebase–SpectreonlytrusttheBIOS,butVMI
systemsneedtotrusthypervisor• Moretransparent–armoredmalwarewithan3-VMtechniques
cannotdetectit• BegerPerformance
WayneStateUniversity CSC6991TopicsinComputerSecurity 25
Agenda
• Introduc3on• Background• SystemFramework• ExperimentalResults• Conclusion
WayneStateUniversity CSC6991TopicsinComputerSecurity 26
Conclusion
• ︎Weintroduceahardware-assistedframeworkthatcanexaminecodeacrossalllayersofarunningsystem
• SpectreisOS-agnos3candfullytransparenttohigherlevelso]ware
• WehaveimplementedaprototypeofourframeworkinbothLinuxandWindows,anddemonstratesthatoursystemcandetectvariousmemoryagacksincludingheapspray,heapoverflowandrootkits.
WayneStateUniversity CSC6991TopicsinComputerSecurity 27
References
WayneStateUniversity CSC6991TopicsinComputerSecurity 28